Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:38 PM
Connect Directly

Integrating WAFs And Vulnerability Scanners

Sharing vulnerability scanning data with a WAF could expedite shielding Web apps from newly discovered flaws, but it also opens the door for false positives

An industry effort to integrate Web application firewalls (WAFs) with vulnerability scanning tools never got off the ground when it was first launched five years ago, but today the idea of blending the two tools is generating interest -- and debate -- once again. More mature vulnerability scanners that are less false-positive prone and more advanced WAFs, along with PCI compliance pressures and increasing Web threats, have prompted some security experts and enterprises to consider how the tools could better share information about -- and mitigate -- attacks and risks to their Web applications.

"We're starting to see vendors talking about levels of integration," says Neil MacDonald, vice president and Gartner fellow.

Art of Defence, Breach Security, and WhiteHat Security, for example, are among the security vendors offering some early form of WAF-application scanning integration. Art of Defence, for instance, allows users to plug vulnerability scan data into its Hyperguard WAF and automatically generate new rule sets, while WhiteHat uses a mix of vulnerability scanning, WAF tools, and manpower with its vulnerability management service offerings.

Blending vulnerability scanning and WAFs works well for service providers like WhiteHat Security, according to MacDonald, because they employ both tools and people to handle vulnerability assessments and fixes. "The reason this model is working well for some customers is because WhiteHat uses humans and automation to find vulnerabilities," MacDonald says. "By the time the vulnerabilities are determined, they are highly specific and less prone to false positives because they have the human element on the back-end of the testing services.

"That's why WhiteHat is pioneering [this]. It's not an application scanning tool, but a service using a combination of tools and humans to create very specific vulnerability information."

WAFs traditionally have been used for identifying and blocking attacks, as well as alerting the appropriate IT staff and vulnerability scanners, to find vulnerabilities and flaws in the Web apps. "They are mainly looking for two different things," says Ryan Barnett, director of application research at Breach Security, which integrates its WAF with WhiteHat's vulnerability management services. "There is a little overlap...[Breach's WAF] looks at application integrity or defects and misconfigurations," he says.

The main advantage of importing vulnerability scan data into a WAF is it gives the organization more information and insight about when and where to block Web traffic, he says.

But not everyone is sold on integrating WAFs and vulnerability scanners -- especially if it means automating their interactions. "Combining them doesn't help you identify more problems or reduce false positives. It just provides you with the ammo to get from the, 'I identified a problem' stage to the, 'I am no longer vulnerable' stage," says Arshan Dabirsiaghi, director of research for Aspect Security and developer of the ESAPI WAF, a new open-source Web application firewall. "Making this process automatic would be quite dangerous since tools unfortunately find lots of vulnerabilities where there are none, and this would mean a ton of 'patches' to nonexistent vulnerabilities, which would then create some seriously unpredictable behavior."

Georg Hess, founder and CEO of Art of Defence, says his customers are asking for the two tools to be integrated. The company's Hyperguard WAF lets users plug vulnerability scanner findings into it to automatically create new rule sets and defenses. Hyperguard is also integrated with Virtual Forge's SAP vulnerability scanner.

"The decision to not build scanning right into Hyperguard was on purpose. We didn't want to force customers into a vendor-lock situation by integrating vulnerability scanning into our dWAF. We've found that most customers have their own scanners, and they are comfortable with them and would rather not change," he says. "We do have a scanner module as an optional solution if a customer needs one, but most already have one in place and would prefer not to change."

With the long-defunct effort by OASIS to establish a standard for WAFs and application vulnerability scanners to share data, it likely will come down to each of the vendors sharing APIs. Another hurdle to getting WAFs and scanners to work together is the fact that the two tools are typically purchased and run by different groups within an enterprise. "Vulnerability scanners are usually with the infosec team, and WAFs with the operations/network security team," Breach's Barnett says.

Breach's WebDefend has a feature called Change Detection that's a precursor to this type of cooperation. When a Web application gets a new feature, such as a Feedback page, for instance, the team doing vulnerability scanning may not know. "We can flag that and do a policy that emails the infosec team to know an app changed if they want to kick off a scan," he says."This would be more targeted...the idea of sharing between the tools makes things more efficient."

And integrating vulnerability scanning data with a WAF would narrow the window between finding vulnerability and creating a so-called virtual patch for the application, or a "shield," experts say.

Gartner's MacDonald says his clients are asking about integration when they evaluate WAFs and vulnerability scanners. But it's not something widely available at this point that they can buy, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.